It has been a while since Microsoft has released the combined registration (security) feature that helps users to register for both MFA and SSPR can register once if the methods in the Azure AD Multi-Factor Authentication and SSPR policies are enabled. For more information about Combined security information registration please read https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined
One of the very common challenges that organizations had was, how can I restrict the security registration process within the trusted location and secure it from bad actors.
To enforce the security registration process from a trusted location only and block from any other, we can make use of the conditional access policy with grant access block, excluding all trusted locations. Follow the steps outlined in the Microsoft article here. Due to COVID and new variants coming up, the workforce is no longer working from a trusted location (office premises). So what other options do we have for a secure registration process?
Last year, Microsoft has announced the GA of filters for devices in Conditional Access policies which opens up lot more possibilities to restrict access to your resources.
In this blog post, we will see, how can we make use of the filters in Conditional Access policies to restrict the security information registration from trusted devices ONLY. The trusted devices can be of any device identity such as Hybrid Azure AD joined, Azure AD joined, or Azure AD registration. If your org allows only corporate-owned but not BYOD, we can do so as well with filters.
Login to Azure AD portal, click on security
Click on Conditional Access, Create new Policy
Name: Restrict Security Information registration - trusted device only
select Users or workload identities, include users or groups based on your requirement. For POC, you can limit this to test group or couple of users before applying this across the ORG.
Click on Cloud apps or actions, select the drop down, choose user actions, enable Register security information
Click on conditions, device platform, configure=Yes, include any device
Click on Locations, configure=Yes, and choose any Location
Click on Client Apps, Configure=Yes, choose browser and mobile aps and desktop clients
Click on filters, Configure Yes and click on Exclude filtered devices from Policy, in the property, you see lot of options.
For trusted devices, the property name is TrustType, follow the settings as per below.
Rule Syntax: device.trustType -eq "ServerAD" -or device.trustType -eq "AzureAD"
Access Controls, Grant, select Block
Enable policy, choose ON, click on Create.
This policy will now enforce the security registration only from the devices that are hybrid Azure AD joined or Azure AD joined.
For more information on supported device properties in Conditional Access policies using filters, please refer here